Multiple Malware Families Leveraging AresLoader for Propagation
Malware loaders are programs or scripts that have been created to install and run different types of malware on a victim’s computer system. The main objective of a malware loader is to avoid detection and continue operating on the victim’s computer by downloading and executing additional malicious software. To achieve this, loaders may use tactics such as encrypting or obfuscating the malicious payload to make it more difficult for antivirus software to detect it.
Recently, Cyble Research and Intelligence Labs (CRIL) has observed a new loader called AresLoader that has been used to spread several types of malware families. AresLoader is a loader malware written in the C programming language that first emerged in cybercrime forums and Telegram channels in 2022. This loader is available on a Malware-as-a-Service (MaaS) model and is developed by the same Threat Actors (TA) who were responsible for the AiD Locker ransomware. The members of this group are also suspected of having connections to a Russian hacktivist group. The cost of AresLoader is USD 300 per month, including five builds.
The figure below displays the AresLoader post on a cybercrime forum.
AresLoader operates through a series of stages, with the initial loader binary containing embedded code that is injected in subsequent stages. After analyzing several binaries of AresLoader, CRIL discovered that the loader code’s extraction and injection methods are inconsistent across every binary.
This highlights the TA’s efforts to avoid detection by frequently updating their infection techniques.
The loader has been observed to be used by multiple malware strains, as depicted in the figure below.
According to the TA, the malware initiates the launch of a legitimate file before deploying a malicious payload. The TAs responsible for this loader offer access to a builder that can be utilized to create a loader executable. Additionally, several web panels have been identified in association with this loader.
The figure below displays the AresLoader web panel.
Upon further investigation, CRIL discovered a GitLab repository located at hxxps[:]//gitlab.com/citrixchat-project/citrixproject/ distributing the AresLoader malware. This repository was masquerading as “citrixproject,” suggesting that the threat actor was specifically targeting Citrix users. Within this directory, the file labeled “AG.exe” was identified as AresLoader, which proceeded to download the LummaStealer and IcedID payloads.
The figure provided below illustrates the GitLab repository.
Technical Analysis
The AresLoader executable (SHA:256 867c574602105903116dca0a8b826e474a555980a193524d1aa7f15aecbc9ae4) is a 32-bit binary compiled in C.
The figure below shows the file details.
Upon execution, the malware calls the CreateWindowEx() API with the class name “GLSample” and the window name “OpenGL Sample”. The window procedure function registered with this API does not contain any obvious malicious code in the callback function, leading us to suspect that this code may be intended to delay the analysis of the malware.
The figure below shows the code snippet of the CreateWindowEx() API.
The next step for the malware is to try loading “sc.exe” using the CoLoadLibrary() function. In case this attempt fails, the functions within the if statement will be executed. These functions are meant to imitate the extraction of the following stage payload from the binary and then inject it into memory.
Nevertheless, these are fake functions and are just programmed to terminate the malware program.
The figure below shows the fake functions present in the malware.
The malware now begins to enumerate the Process Environment Block (PEB) to gather information about the loaded modules. It does this by traversing the InMemoryOrderModuleList and accessing the third node in the list using Flink.
This allows the malware to retrieve the address of the _LIST_ENTRY structure for the “ntdll.dll” module for resolving APIs.
The figure below shows the GetNtDLL() function.
Subsequently, the malware resolves APIs dynamically. This malware employs the API hashing technique to complicate detection and analysis. The targeted APIs belong to ntdll.dll and serve as a means for malware to perform malicious actions. The loader retrieves the address of the following API functions:
- pLdrFindResource_U
- pLdrAccessResource
- pNtAllocateVirtualMemory
- pNtQueueApcThread
- pNtTestAlert
The figure below shows the GetNtDLL() and get_proc_address() functions.
Next, the malware makes a call to the pLdrFindResource_U() function, which is used to locate a resource within the malware file. This function, on successful execution, returns a pointer to the resource data. This pointer is now passed to the pLdrAccessResource() function to retrieve the actual data of a resource located by the pLdrFindResource_U() function.
The figure below shows the calls made by the loader to fetch the resource data.
Next, the malware uses the ZwAllocateVirtualMemory( ) function to reserve a memory area in the current process with read, write, and execute permissions.
The process for allocating memory space is demonstrated in the figure below.
The next step in the process is to decrypt the resource data that was obtained earlier. This is achieved by using the key, which is obtained from the .rdata section. Once the memory is allocated, the decryption loop begins, and the decrypted PE file is stored in the newly allocated memory.
The figure below shows the decryption loop and the decrypted PE file.
Subsequently, the malware makes a call to ZwQueueApcThread() and NtTestAlert() to inject code into its own process memory. The malware uses the ZwQueueApcThread() function to schedule an Asynchronous Procedure Calls (APCs) routine that executes the injected code. NtTestAlert() function is associated with the alerts mechanism and can trigger the execution of any outstanding APCs.
AresLoader v3:
AresLoader can download and execute files. Initially, it creates a folder in the AppDataRoaming directory where the downloaded payloads are saved. The saved file is then executed using the CreateProcessA() function.
The method used for executing the downloaded files can be seen in the figure below.
Prior to downloading the final payload, the Ares loader obtains the public IP address of the infected system by sending a request to https://ipinfo.io/ip utilizing the WinINet library.
Furthermore, it obtains additional information from the victim’s system and utilizes it to register the victim with the Command and Control (C&C) server via a POST request, as demonstrated below.
Finally, AresLoader initiates an internet session using the InternetOpenA() function and sets the user agent string to “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100101 Firefox/106.”. It then proceeds to make GET requests for downloading other malicious executables using the InternetOpenUrlA() function. Specifically, the malware makes GET requests to the following URLs:
- hxxp[:]//193.233.134[.]57/manager/legit —– Downloads a clean file
- hxxp[:]//193.233.134[.]57/manager/payload —- Downloads LummaStealer
- hxxp[:]//193.233.134[.]57/manager/hvnc —– Downloads IcedID
Conclusion
The AresLoader has been detected disseminating various types of malware, implying that several threat actors are utilizing it to propagate their malicious strains. To evade detection, this loader employs several defensive strategies. Our observation of different executables utilizing different approaches to inject the loader code suggests that these TAs continually enhance their infection tactics.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Avoid downloading files from unknown websites.
- Use a reputed antivirus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Defense Evasion | T1027 T1055 T1027.007 |
Obfuscated Files or Information Process Injection Dynamic API Resolution |
| Discovery | T1016 | System Network Configuration Discovery |
| Command and Control | T1071 T1105 |
Application Layer Protocol Ingress Tool Transfer |
Indicator Of Compromise (IOCs)
| Indicators | Indicator Type |
Description |
| df79ba45a9c6bf187697fe7f3e2dd7bc f064b3d1779692c1928869e6b682d0682e0d987d 867c574602105903116dca0a8b826e474a555980a193524d1aa7f15aecbc9ae4 |
MD5 SHA1 Sha256 |
AresLoader |
| hxxp[:]//193.233.134.57/manager/hvnc hxxp[:]//193.233.134.57/register hxxp[:]//193.233.134.57/manager/payload hxxp[:]//193.233.134.57/manager/legit | URL | C&C |
| 45.80.69.193 193.168.49.8 193.233.134.57 | IP | C&C |
| 67029b569ad726b1b87cc62760472cc8 0d43665fd941533cdd3edbf71fd3f975bcd53967 169c70fc77814578aa83b3a666eb674c49e60ac6964b040de9b1e51c5966bf56 |
MD5 SHA1 Sha256 |
AresLoader |
| hxxps[:]//gitlab.com/citrixchat-project/citrixproject/” | URL | Malicious GitLab repo |
| ffc047f271e2db11338917aecb1f890b 92d00383cc03d165bb4a2e55fdcedc0dd184450a 69fd40c6c06cb719050c36234ba5117d275643d8aff72596167e9c2fee608cfb |
MD5 SHA1 Sha256 |
AresLoader |